13 Comments to 'Using Let’s Encrypt certificates with mosquitto'

Thanks for the tutorial!
Note that “BEGIN CERTIFICATE” and “END CERTIFICATE” are surrounded by 10 hyphens “-” and not 4 minuses “–” unlike how WordPress displays it.

To avoid messing around with the syntax of the certificate you can find the DST Root CA X3 here http://pastebin.com/raw/z7SP4pb9 or on any good Linux box there: /etc/ssl/certs/DST_Root_CA_X3.pem

Kage2016/03/07

I’m sorry but this leaves out quite bit of important information. I would be happy if anyone could clear this up:

My certificate comes up as “issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3” so I’m to go to the link. It says open editor, paste, then nothing? What am I supposed to save it as? I’m going to assume as something, so I saved it as somthing.pem

Then run the command:
cat /etc/letsencrypt/live/example.com/chain.pem /etc/letsencrypt/something.pem > /etc/letsencrypt/live/example.com/chain-ca.pem

I’m able to get the server up and running with this, but clients refuse to connect. The server gives back error:

I was able to get it working, the reason for that error is because the mosquitto user does not have access to the files in /etc/letsencrypt. I solved this by copying the .pems to /etc/mosquitto/certs and updating the permissions appropriately for the “mosquitto” user.

Also, you don’t have to concat anything to create chain-ca.perm, just use the fullchain.pem that letsencrypt already has.

Hope that helps…

ScottE2016/04/06

Correction to my previous comment:

Actually, you don’t need chain-ca.pem or fullchain.pem – in the mosquitto configuration specify ONLY certfile and keyfile, do not specify cafile at all. Then, you can connect, using only username and password in the clients (no need to give the client any TLS options).

[…] it to mosquitto.conf to use as a base config for us to modify. There’s details on using the Let’s Encrypt service on the mosquitto site. If you’re using it on the public internet I’d strongly […]

Dox2016/05/16

On my Ubuntu host, I had to tell mosquitto_pub/sub to use -p 8883 (which I expected as it’s not the standard 1883) and, the path to my OS trusted root certs (which I didn’t). I was thinking that, like https in a browser infers :443 on the end of the URL, -p 8883 would infer SSL/TLS to the client but it doesn’t.

Replace with whatever you asked for in your LetsEncrypt certificate (the directory after /etc/letsencrypt/live// ) and point –capath to where your OS stores its root CA files. This step allows the client to validate the server cert, it’s not the same as the server requiring a client cert too.

On the server
————-
1. AWS Ubuntu 16.04 LTS
2. Mosquitto 1.4.11
3. Letsencrypt set up, certificates generated and an MQTT listener configured as per the instructions above. This didn’t work so I copied fullchain.pem and privkey.pem into /etc/mosquitto/certs, changed ownership to mosquitto and permissions to 777 (just for testing and to eliminate any possible issues)

Running the following command from the server commandline and it works:

So why does the mosquitto_sub command work on the server itself but not on a remote machine?

Simon Greenwood2017/06/15

@Roy: I haven’t tried this yet but you probably need the same CA cert on your client machine. I’m just about to try this.

However, the SSL implementation is basically wrong: the certificates should be being loaded before the process changes to the non-privileged user – look at how nginx or apache handles SSL, there shouldn’t be any need to copy the certs into the application directory.